Steve Langasek wrote:
> > I've seen a couple of RC bugs being filed for rpath issues in various
> > packages. For stable-security these are only treated as DSA-worthy
> > if the rpath points to /tmp, but not towards a directory like /build
> > or a specific home directory, as exploiting these would require social
> > engineering against root. While they should of course be fixed where
> > possible I'd recommend against treating them as release critical per
> > se. (At least not in the sense they they're a reason for removing a
> > package from testing).
>
> In the case of an rpath pointing to a "specific home directory", I disagree
> that any social engineering is required in order to exploit it.
> Particularly at larger installations, there's a pretty good chance of some
> of these usernames colliding with pre-existing user accounts. Do you think
> this is enough reason to consider such bugs RC?
IMO this is a corner-case. Although the real-world implications are probably
negligable we could as well treat is as RC.
Cheers,
Moritz